SilabRAT

Group-IB analysts have observed buyers of SilabRAT deploying it in email spam and ClickFix attack campaigns... Victims typically encounter a ClickFix prompt through three main methods: phishing, malicious advertisements, or visiting compromised websites.

The second method utilizes Scheduled Tasks, allowing the malware to execute at predefined intervals or specific system events.

From there, operators can task individual bots or groups – to launch HVNC sessions, trigger the stealer, execute payloads via the loader...

In Group-IB’s observed case, the victim was compromised through the ClickFix social engineering technique.

The second method utilizes Scheduled Tasks, allowing the malware to execute at predefined intervals or specific system events.

SilabRAT utilizes an additional DLL named “APPB.dll” to employ the widely utilized technique of COM elevation to bypass ABE, where it decrypts the key by creating an instance via the GoogleChromeElevationService.

The first leverages Registry Run keys to achieve execution at user logon.

The second method utilizes Scheduled Tasks, allowing the malware to execute at predefined intervals or specific system events.

The author has written in forum posts future plans to implement fully customizable injection capabilities targeting Electron-based applications... injecting malicious code directly into their Electron processes.

SilabRAT utilizes an additional DLL named “APPB.dll” to employ the widely utilized technique of COM elevation to bypass ABE, where it decrypts the key by creating an instance via the GoogleChromeElevationService.

The first leverages Registry Run keys to achieve execution at user logon.

When necessary, SilabRAT attempts to bypass Windows UAC (User Account Control) by elevating privileges using the ICMLuaUtil COM interface.

The author has written in forum posts future plans to implement fully customizable injection capabilities targeting Electron-based applications... injecting malicious code directly into their Electron processes.

These capabilities include keylogging functionality to capture user keystrokes...

Session hijacking is often more effective than password theft because it compromises an active authenticated session... Traditionally, session hijacking is achieved via stealing cookies. | Traditionally, session hijacking is achieved via stealing cookies. It is an old school technique where an attacker steals active session cookies and imports it into their own browser to impersonate the victim.

Beyond simply collecting cryptocurrency wallet data and stored credentials, the panel also advertises functionality that assists buyers in automatically cracking wallet passwords. This is achieved by leveraging passwords harvested from the victim’s browser data.

This is achieved by leveraging passwords harvested from the victim’s browser data... Once initialized, it invokes the DecryptData method to decrypt the “ app_bound_encrypted_key” which will then be used to decrypt the encrypted cookies.

It supports a remote desktop via TightVNC that allows the operator to monitor the victim’s desktop.

These capabilities include keylogging functionality to capture user keystrokes...

...and also clipboard monitoring, and clipping.

Additional modules enable remote process execution and downloading of further payloads, allowing attackers to further deploy additional malware after initial compromise.

The current implementation of the defense evasion technique is limited to straightforward bypasses targeting the Anti-Malware Scan Interface (AMSI). Specifically, the method employs a simplified approach to interfere with the AmsiScanBuffer and AmsiScanString functions...